Issue
I intend to create a use passwordless connection using SSH Keys between a client and a server.
Using paramiko, I end up in a AuthenticationException. Using standard SSH via Popen, I can connect without problems
For Paramiko I use the following code:
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.load_system_host_keys()
client.connect(ssh_server, username=ssh_user)
For the same situation, I am able to use SSH:
cmd = 'ssh -o GSSAPIAuthentication=no -o ForwardX11=no {}@{} echo 0 > /dev/null'.format(ssh_user, ssh_server)
process = subprocess.Popen(md, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
process.communicate()
I am using Python 3.4.6 and Paramiko 2.4.1.
Some more details:
- I am able to establish a connection with Paramiko on a different client
- On this specific client, the user for ssh impersonation is not the same as the user who starts the call.
Paramiko Debug Output
2018-07-11 20:55:54,025 20730 DEBUG: putting paramiko output to console
2018-07-11 20:55:54,112 20730 DEBUG: starting thread (client mode): 0x4ca07320
2018-07-11 20:55:54,112 20730 DEBUG: Local version/idstring: SSH-2.0-paramiko_2.4.1
2018-07-11 20:55:54,112 20730 DEBUG: Remote version/idstring: SSH-2.0-OpenSSH_7.2
2018-07-11 20:55:54,112 20730 INFO: Connected (version 2.0, client OpenSSH_7.2)
2018-07-11 20:55:54,115 20730 DEBUG: kex algos:['[email protected]', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group14-sha1'] server key:['ssh-rsa', 'rsa-sha2-512', 'rsa-sha2-256', 'ssh-dss', 'ecdsa-sha2-nistp256', 'ssh-ed25519'] client encrypt:['[email protected]', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', '[email protected]', '[email protected]'] server encrypt:['[email protected]', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', '[email protected]', '[email protected]'] client mac:['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] server mac:['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] client compress:['none', '[email protected]'] server compress:['none', '[email protected]'] client lang:[''] server lang:[''] kex follows?False
2018-07-11 20:55:54,115 20730 DEBUG: Kex agreed: ecdh-sha2-nistp256
2018-07-11 20:55:54,115 20730 DEBUG: HostKey agreed: ecdsa-sha2-nistp256
2018-07-11 20:55:54,115 20730 DEBUG: Cipher agreed: aes128-ctr
2018-07-11 20:55:54,115 20730 DEBUG: MAC agreed: hmac-sha2-256
2018-07-11 20:55:54,116 20730 DEBUG: Compression agreed: none
2018-07-11 20:55:54,123 20730 DEBUG: kex engine KexNistp256 specified hash_algo <built-in function openssl_sha256>
2018-07-11 20:55:54,124 20730 DEBUG: Switch to new keys ...
Exception: No authentication methods available
SSH DEBUG: (using ssh -v ssh_user AT ssh_server)
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /home/pid1083/.ssh/config
debug1: /home/pid1083/.ssh/config line 17: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to <ssh_server> port 22.
debug1: Connection established.
debug1: identity file /home/<logged_in_username>/.ssh/id_rsa_c2c type 1
debug1: identity file /home/<logged_in_username>/.ssh/id_rsa_c2c-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 21:1b:bb:32:4c:69:f3:eb:91:79:e7:ca:d4:30:ff:70
debug1: Host '<ssh_server>' is known and matches the ECDSA host key.
debug1: Found key in /home/<logged_in_username>/.ssh/known_hosts:519
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/<logged_in_user>/.ssh/id_rsa_c2c
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to <IP_of_server>:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Sending environment.
debug1: Sending env LC_PAPER = en_US.utf8
debug1: Sending env LC_ADDRESS = en_US.utf8
debug1: Sending env LC_MONETARY = en_US.utf8
debug1: Sending env LC_NUMERIC = en_US.utf8
debug1: Sending env LC_ALL = en_US.utf8
debug1: Sending env LC_TELEPHONE = en_US.utf8
debug1: Sending env LC_MESSAGES = en_US.utf8
debug1: Sending env LC_IDENTIFICATION = en_US.utf8
debug1: Sending env LC_COLLATE = en_US.utf8
debug1: Sending env LANG = en_US.utf8
debug1: Sending env LC_MEASUREMENT = en_US.utf8
debug1: Sending env LC_CTYPE = en_US.utf8
debug1: Sending env LC_TIME = en_DK.utf8
debug1: Sending env LC_NAME = en_US.utf8
Solution
Your ssh connection works, because it uses a private key from ~/.ssh/id_rsa_c2c (as configured in ssh_config). The .ssh folder and ssh_config file serve as a configuration for OpenSSH toolset (ssh in this case). You cannot expect that other SSH clients/libraries will use OpenSSH configuration files. They won't, in general.
If you want to use public key authentication with Paramiko, use key_filename argument of SSHClient.connect.
See also How to ssh connect through python Paramiko with ppk public key.
Though Paramiko, in particular, would use a key file, if it had a common name like id_rsa, id_dsa, etc. See Force password authentication (ignore keys in .ssh folder) in Paramiko in Python for exactly opposite problem.
Obligatory warning: Do not use AutoAddPolicy, unless you do not care about security. You are losing a protection against MITM attacks this way.
For a correct solution, see Paramiko "Unknown Server".
Answered By - Martin Prikryl Answer Checked By - Dawn Plyler (WPSolving Volunteer)